Malware developers create malformed code signatures to avoid detection

Google researchers uncovers technique used to push dodgy software onto unsuspecting victims

Security researchers have discovered hackers developing malformed code signatures seen as valid in Windows to avoid security software detection.

Researchers at Google’s Threat Analysis Group found the hackers used the techniques to install OpenSUpdater. They then use the software to download and install other suspicious programs.

“The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software,” said Neel Mehta, a security researcher at Google.

About a month ago, Mehta found that OpenSUpdater developers started signing samples with legitimate but intentionally malformed certificates. The samples were uploaded to VirusTotal as far back as mid-August, and Windows accepted them. OpenSSL, however, rejected them. 

In these new samples, hackers edited the signature so an end-of-content (EOC) marker replaced a NULL tag for the “parameters” element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case, an EOC is used within a definite-length encoding.

“Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid,” said Mehta.

Related Resource

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Overlaid images of buildings, a sign saying 'security breach', and yellow text saying 'we have detected a harmful attack attempt'Free download

Mehta said this was the first time his researchers observed hackers using this technique to evade detection while preserving a valid digital signature on PE files. 

"Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection," Mehta added.

Upon discovering the issue, Mehta reported to Microsoft to investigate. Mehta’s team is currently working the Google Safe Browsing to protect users from downloading and executing this unwanted software. He stressed users should only download and install software from reputable and trustworthy sources.

OpenSSL, a widely used encryption software library, itself has been the subject of flaws. As reported in April, a severe flaw that could have allowed hackers to crash many servers was patched. The update,  OpenSSL 1.1.1k, fixed two severe bugs, including CVE-2021-3449, which could have been exploited by hackers to deliberately crash vulnerable web servers or email servers at will, causing a looped denial of service (DoS) situation.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

A quarter of all malicious JavaScript is obfuscated
hacking

A quarter of all malicious JavaScript is obfuscated

20 Oct 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021
Organizations warned of ransomware risk from smaller operators
ransomware

Organizations warned of ransomware risk from smaller operators

19 Oct 2021
Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021